The Joint Parliamentary Committee report, along with the Data Protection Bill, 2021, was tabled in both houses of the Parliament on December 16 after two years of deliberations. Since the landmark Puttaswamy judgement in 2017, the government has been under an obligation to pass legislation to protect Indians’ personal data.
We have identified the main points from the report below:
No checks and balances on the Central Government’s powers
Power of DPA: The Central Government has been given absolute power to direct the Data Protection Authority (DPA) in all matters. In the 2019 draft, the authority was bound by the central government’s directions specifically ‘on questions of policy’. The committee said that the authority should be bound by the directions of the central government under all cases and not just on questions of policy.
Exemptions for government bodies: The Central Government will have the authority to exempt any agency of the government from the provisions of the act, subject to just, fair, reasonable, and proportionate procedure.
Agencies to be held liable: Particular ‘government data fiduciaries’ will be held liable for offences under the provisions of the act, instead of state departments or ministries. The earlier draft placed the liability directly on the ‘department or authority or body of the State’ which committed the offence.
Personnel to be held liable: In case a government body commits an offence under the act, the head of office must conduct an in-house enquiry, and the person deemed responsible for the offence will be punished accordingly.
Appointments to Data Protection Authority will be made by a selection committee
The DPA shall consist of a chairperson, not more than six members, one of whom shall be qualified “‘an expert in the area of law”, the draft said. They will be appointed by a selection committee comprising —
- Cabinet secretary as the Chairperson of the Selection Committee
- Secretary in the Ministry of Department dealing with Legal Affairs as a member
- Secretary in MeitY will be another member
- Attorney General of India will be a member too
- An independent expert will be nominated by the Union government from fields of data protection or Information Technology as a member
- Director of any Indian Institute of Technology (IIT) will be nominated by the government as a member
- Director of any Indian Institute of Management (IIM) will be nominated by the government as a member.
New duty of DPA: The current draft includes a new power of the data protection authority to appoint any agency authorised by the central government to monitor, test, and certify hardware and software of computing devices to “prevent any interdiction or seeding that may cause personal data breach”.
Age of consent for children will be 18
Multiple stakeholders had requested that the bill lower the age of consent to either the US standard (13 years) or GDPR standard (13-16 years), but the committee decided to leave the age of consent at 18 citing the Contract Act as the basis for this. “We are aware that from the perspective of the full, autonomous development of the child, the age of 18 may appear too high. However, consistency with the existing legal framework demands this formulation. Were the age of consent for the contract to reduce, a similar amendment may be effected here too,” the committee wrote.
Concept of guardian data fiduciary removed: The concept of guardian data fiduciaries is absent in the Data Protection Bill 2021 as opposed to the PDP Bill, 2019. The committee explained that there is no advantage in creating a separate class of data fiduciary known as guardian data fiduciary and that “the concept of guardian data fiduciary may lead to circumvention and dilution of law.”
A new definition for social media intermediaries
The JPC recommended that all social media platforms, which do not act as intermediaries, should be treated as publishers and be held accountable for the content they host, as per a press release. It also proposed classifying social media platforms as significant data fiduciaries, instead of intermediaries and fiduciaries processing children’s data or providing services to them.
One regulator for all media platforms
The JPC also recommended the creation of statutory authority for the regulation of content on all media platforms. “The committee recommends that a statutory media regulatory authority, on the lines of the press council of India, may be set up for the regulation of the contents on all such media platforms irrespective of where their content is published, whether online, print, or otherwise,” the report read.
This recommendation could lead to new liabilities and compliance requirements for social media platforms, streaming platforms, and news media organisations.
Cross-border data transfers based on countries meeting adequacy requirements
Sensitive personal data can be transferred outside the country when the Central Government, after consultation with the DPA, has allowed the transfer to a country or, such entity or class of entities in a country or, an international organisation on the basis of its finding that:
- such sensitive personal data shall be subject to an adequate level of protection, having regard to the applicable laws and international agreements;
- such transfer shall not prejudicially affect the enforcement of relevant laws by authorities with appropriate jurisdiction;
- such sensitive personal data shall not be shared with any foreign government or agency unless such sharing is approved by the Central Government
A policy for gradual data localisation recommended
The committee has recommended that the Central Government must prepare and pronounce an extensive policy on data localisation encompassing aspects like:
- development of adequate infrastructure for the safe storage of data of Indians which may generate employment
- introduction of alternative payment systems to cover higher operational costs
- inclusion of a system that can support local business entities and startups to comply with the data localisation provisions laid down under this legislation
Report data breaches within the stipulated time
- The committee has recommended significant changes to the role of the DPA during a data breach by requiring data fiduciaries to report all data breaches to the DPA.
- They will be required to submit the notice to the DPA within 72 hours after becoming aware of the data breach, the committee added.
- The DPA should ask the data fiduciaries to maintain a log of all data breaches (both personal and non-personal data breaches), to be reviewed periodically by the Authority, irrespective of the likelihood of harm to the data principal.
Data Protection Officer as one of the key managerial personnel
Definition: The Bill defined a Data Protection Officer as an officer who will be appointed by a significant data fiduciary under Section 30 of the Bill.
Functions of Data Protection Officers: Every significant data fiduciary shall appoint a data protection officer who will be responsible for carrying out some of these functions —
- Providing information and advice to the data fiduciary on matters related to the Act
- Assisting and cooperating with authority on matters of compliance of data fiduciary
- Monitoring personal data processing activities of the data fiduciary
- Providing advice to the fiduciary on carrying out data protection impact assessments
Key Managerial Position: The draft stated that one cannot be appointed as a data protection officer unless the person is a “senior level officer or key managerial person” having adequate knowledge in technical matters, particularly data protection or privacy. These are the officers which the draft said, falls under the term “key managerial personnel” —
- Chief Executive Officer or Managing Director or the manager
- Company secretary
- Whole time director
- Chief Financial Officer
The new legislation will deal with personal and non-personal data both
The report changed the name of the draft law from the ‘Personal Data Protection Bill’ to the ‘Data Protection Bill, 2021’. This is as per the expansion in the regulatory ambit as the draft law will also regulate “non-personal data”. The principal purpose behind this framing is to provide a seemingly blank cheque to the Government under Clause 92, according to the Internet Freedom Foundation. It deals with the following:
“Nothing in this Act shall prevent the Central Government from framing (***) any policy for the digital economy, including measures for its growth, security, integrity, prevention of misuse,(***) and handling of non personal data including anonymised personal data.”
Non-personal data should not have a separate framework: The committee recommended that the legal framework on NPD must be a part of the Data Protection Act instead of separate legislation. The report also called for both personal and non-personal data to be regulated by one Data Protection Authority (DPA) to avoid confusion and mismanagement. There was no mention of the non-personal data regulation in the draft Personal Data Protection Bill, 2019.
Penalties on fiduciaries will be dealt with in a single window
The committee has added clause 62 to the bill as penalties should be dealt with in a single window. This requires complaints filed to the Data Protection Authority, as laid down in Section 32 (relating to grievance redressal by a data fiduciary), to be forwarded to the Adjudicating officer to adjudge the complaint or application for compensation. Earlier, the bill simply laid down that a principal can approach the Data Protection Authority 30 days after a complaint that the data fiduciary does not address/satisfy.
Two years for implementing the Act
The JPC has recommended that the bill must provide 24 months for implementation of any and all the provisions of the Act so that the data fiduciaries and data processors have enough time to make the necessary changes to their policies, infrastructure, processes, etc. The committee suggested that the phased implementation should be undertaken to ensure:
- The Chairperson and Members of DPA are appointed within three months
- The DPA commences its activities within six months from the date of notification of the Act
- The registration of data fiduciaries should start no later than nine months
- Adjudicators and appellate tribunal commence their work no later than twelve months
- Provisions of the Act shall be deemed to be effective no later than 24 months from the date of notification of this Act.
Subscribe to MediaNama to get access to our ongoing coverage of the bill. Here is everything we have planned around the report: